You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

The Backdoor Program.AP Virus was found in file C:\Documents and Settings\Munchkin\Local Settings\Temp\1B.tmp

I could not access Activescan it was hijacked to another website but I did use Trendware Housecall but it would not allow me to clean kept asking for a ticket but when I would click on ticket it went nowherethese are what Housecall came up with and the number of infectionsTROJ_Agent.AG 2TROJ_StartPage.RE 1TROJ_Agent.xo 32

Please read through the instructions before you start (you may want to print this out or copy it into a word program).

Please download and install these programs - don't run them yet!!

Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.3. From the main ewido screen, click on update in the left menu, then click the Start update button.4. After the update finishes (the status bar at the bottom will display "Update successful")5. Exit Ewido. DO NOT scan yet.Tutorial if needed

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.Also uncheck "Hide protected operating system files" and uncheck "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

Important StepGo to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:Remote Procedure Call (RPC) Helperbe sure to take just this one, the others are legit

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Double click on the HSfix and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Run About:Buster. This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Open HijackThisPlace a check against each of the following, making sure you get them all and not any others by mistake:the log will have changed, so if you cannot find an entrie, move to the next.

Close all programs leaving only HijackThis running. Click on Fix Checked when finished and exit HijackThis.

***

Run Ewido Security SuiteClick on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Reboot back to normal mode.

***

Download: deldomains.To use: right-click and select: Install (no need to restart)Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.infNote: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:*Click "Options"*Move the arrow down to "Custom CleanUp!"*Put a check next to the following:

Empty Recycle Bins

Delete Cookies

Delete Prefetch files

Scan local drives for temporary files

Cleanup! All Users

Click OKPress the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.

Once you get to the Panda site, scroll down a bit and click on Scan your PC

A new window will appear; click on Check Now!

A new window will appear; fill in the boxes (Country, State, email addy)

Click on Scan Now! >If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.

From "Select a device to scan...", choose "My Computer"

Allow the scan to run. It'll take a while.

When complete, click on "See Report", and then on "Save report"; save it to a convenient location.

I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.

Post back (maybe you will need more than one post ):About:Buster logsEwido logPanda reportHijackThis log.

hiokay just got on your site and found this replyI had not been able to access your site but in the meantime I finally got on to Active Scan site through a link from another site and ran the scan. It found the 2 viruses and said it cleaned them . I have included the scan results and also then ran a new hijackthis.log and included it hereThe question I have is should I continue with the instructions above ? The reason I ask is because of the following that you had in it.[QUOTE]Download and unzip HSfix to your desktop.

The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC Incident Status Location

HI,I printed all instructions and followed them totallyI will list problems I hadafter deleting all the files with Killbox when the last file you were to reboot. your instructions said to click "no" at teh Pending Operations prompt. I never got the prompt what I got was the following box"Pending file rename Peration Registry Data has been removed by external Process"I continued anyway into safe mode and did what was listed the next problem was with Hsfix you had said when asked to merge say yes. never asked for a merge statedasked if wanted to add imformation to c:\documents and settings\munchkind\desktop\hsfxz???? reg to the restistry sorry couldn't read my writingnext in hijackthis log there was an entry for O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\iehv32.execould not find that but had exact only with ievh but since not exact I did not check it Next: when I tryed to run Ewido it closed itself out and I was unable to do complete scan or make a report.after booting to normal mode I did try running it again but it closed itself out once again so I went on to next step .so I will enclose the about:buster log the panda activescan report and the new hijackthis log and hopefully I haven't screwed something up

glad I caught post before you have had chance to work with it
I had the virus program and spysweeper set to scan during the night adn when I got up it had caught a couple trojans and the spysweeper a couple spywares but what I did notice is there is no longer a recyle bin on the desktop
the shell of the icon is there but nothing behind it if you right click you get the option to delete copy create shortcut etc. I downloaded tweak U and when you go to desktop there is not the option of the recycle bin so I am guessing when I did the list of things you had me do I did somethiing wrong
Kate

Don't worry Kate, you didn't do anything wrong, it's part of the malware. We will get the recycle bin back.

"Pending file rename Peration Registry Data has been removed by external Process"This is what I mean with the pending operation prompt.

I see Avast and Symantec. You need to run only one AntiVirus program. Otherwise it will conflict with the other and cause problems like this.

***

Please disable SpySweeper, as it will hinder the removal of some entries. Re-enable it after this advise.To disable SpySweeper Shields

Click Shields on the left.

Click Internet Explorer and uncheck all items.

Click Windows System and uncheck all items.

Click Startup Programs and uncheck all items.

Exit Spysweeper.

***

Update About:Buster again. Don't run it.

***

Update AdAware SE 1.06. Don't run it yet.

***

Download: deldomains.To use: right-click and select: Install (no need to restart)Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.infNote: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:

Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Make sure it reboot's to safe mode.

***

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

am not running anything other then Avast
I had removed through add/remove programs the Symantec program last year before I installed the Avast
there is a folder in c:\program files\commonFiles that it will not allow me to delete and 2 other files that it did allow me to remove
if you have any other suggestions before I do the above tasks please let me know
thanks

Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:

Symantec Event Manager

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Do the same for this one:Symantec Password Validation Service

***

Open HijackThisclick on "None of the above, just start the program". click on the "Config" button (bottom right), click on "Misc Tools"click on "Delete an NT Service" (a window will pop up) Enter the below item into that field (make sure there are NO spaces before or after the name):

ccEvtMgr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.Do the same for this one:ccPwdSvc

Press 'back' and 'scan'.

***

Open HijackThisPlace a check against each of the following, making sure you get them all and not any others by mistake:

I was not able to delete the following:Enter the below item into that field (make sure there are NO spaces before or after the name):

ccEvtMgr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.Do the same for this one:ccPwdSvcThis is error message:[COLOR=red]Service you enered is system-critical! It can't be deleted this was for both.